Latest news with #DataBreach
WIRED
4 days ago
- Business
- WIRED
A Premium Luggage Service's Web Bugs Exposed the Travel Plans of Every User—Including Diplomats
Jul 24, 2025 12:00 PM Security flaws in Airportr, a premium door-to-door luggage service used by 10 airlines, let hackers access user data and even gain privileges that would have let them redirect or steal luggage. Photo-Illustration:An airline leaving all of its passengers' travel records vulnerable to hackers would make an attractive target for espionage. Less obvious, but perhaps even more useful for those spies, would be access to a premium travel service that spans 10 different airlines, left its own detailed flight information accessible to data thieves, and seems to be favored by international diplomats. That's what one team of cybersecurity researchers found in the form of Airportr, a UK-based luggage service that partners with airlines to let its largely UK- and Europe-based users pay to have their bags picked up, checked, and delivered to their destination. Researchers at the firm CyberX9 found that simple bugs in Airportr's website allowed them to access virtually all of those users' personal information, including travel plans, or even gain administrator privileges that would have allowed a hacker to redirect or steal luggage in transit. Among even the small sample of user data that the researchers reviewed and shared with WIRED, they found what appear to be the personal information and travel records of multiple government officials and diplomats from the UK, Switzerland, and the US. 'Anyone would have been able to gain or might have gained absolute super-admin access to all the operations and data of this company," says Himanshu Pathak, CyberX9's founder and CEO. 'The vulnerabilities resulted in complete confidential private information exposure of all airline customers in all countries who used the service of this company, including full control over all the bookings and baggage. Because once you are the super-admin of their most sensitive systems, you have have the ability to do anything.' Airportr's CEO Randel Darby confirmed CyberX9's findings in a written statement provided to WIRED but noted that Airportr had fixed the vulnerabilities a few days after the researchers made the company aware of the issues last April. 'The data was accessed solely by the ethical hackers for the purpose of recommending improvements to Airportr's security, and our prompt response and mitigation ensured no further risk,' Darby wrote in a statement. 'We take our responsibilities to protect customer data very seriously.' CyberX9's researchers, for their part, counter that the simplicity of the vulnerabilities they found mean that there's no guarantee other hackers didn't access Airportr's data first. They found that a relatively basic web vulnerability allowed them to change the password of any user to gain access to their account if they had just the user's email address—and they were also able to brute-force guess email addresses with no rate limitations on the site. As a result, they could access data including all customers' names, phone numbers, home addresses, detailed travel plans and history, airline tickets, boarding passes and flight details, passport images, and signatures. By gaining access to an administrator account, CyberX9's researchers say, a hacker could also have used the vulnerabilities it found to redirect luggage, steal luggage, or even cancel flights on airline websites by using Airportr's data to gain access to customer accounts on those sites. The researchers say they could also have used their access to send emails and text messages as Airportr, a potential phishing risk. Airportr tells WIRED that it has 92,000 users, and claims on its website that it's handled over 800,000 bags for customers. Within the data CyberX9 accessed in its testing, the researchers found and shared with WIRED examples of passengers traveling with diplomatic passports, for several of which the front-page images were also included in the data. These included four from the UK, two from the US, and three from Switzerland. One of the individuals, the researchers determined, was at the time of their travel a UK ambassador, and another was a US executive branch cybersecurity official. 'This is a premium service,' says Pathak. 'We consider that a good chunk of their users are government officials, and other people of a sensitive nature.' Airportr advertises that it's the 'official bag check in partner' of American Airlines, British Airways, Lufthansa, and Virgin Atlantic, along with half a dozen other major airlines, though it appears to only offer its services on flights to and from airports in the UK, Germany, Switzerland, and Austria. American Airlines, British Airways, and Virgin Atlantic didn't respond to WIRED's requests for comment, but a Lufthansa spokesperson responded in a statement. 'We are dedicated to investigating any indications of a third-party data breach thoroughly and promptly," the spokesperson writes. "We take these matters seriously and are committed to maintaining the integrity and security of our data.' CyberX9's researchers first became curious about Airportr last April, after a member of the team saw the service advertised to him for flights to Europe from the United Arab Emirates, where the company is based, and heard that other staff at the company had used it. 'They're handling such a sensitive task of delivering the baggage and collecting so much sensitive information, I thought we should see where they actually stand in terms of security,' says the research team's lead, who asked to remain anonymous due to privacy concerns. 'When I got some time to actually test it out, I found these vulnerabilities quite quickly.' The researchers found that they could monitor their browser's communications as they signed up for Airportr and created a new password, and then reuse an API key intercepted from those communications to instead change another user's password to anything they chose. The site also lacked a 'rate limiting' security measure that would prevent automated guesses of email addresses to rapidly change the password of every user's account. And the researchers were also able to find email addresses of Airportr administrators that allowed them to take over their accounts and gain their privileges over the company's data and operations. In his response statement, Darby, the Airportr CEO, writes that 'while data exposure could theoretically allow administrative access, the ability to act on such information without triggering alarms would be highly difficult.' He also emphasized that the data the researchers found to be vulnerable was Airportr's alone, not that of its airline partners. 'We do not have any ability to alter or influence airline operations or customers' flight details via our APIs, which are designed with read-only permissions and are tightly restricted to reduce risk to airline systems and customer data,' Darby writes. (CyberX9 points out that the administrative access it gained was not in fact, 'theoretical,' and Airportr didn't appear to be aware of the access until the researchers notified the company.) Darby adds that Airportr didn't tell airlines about the vulnerability at the time. 'Given the low-risk nature of the incident, as determined by our investigation, we did not at the time notify data subjects, airline partners, or supervisory authorities,' he writes. 'Subsequently, and given the potential visibility generated by the publication of the research and subsequent media coverage, we have decided to notify the Information Commissioner's Office (ICO) as a precautionary measure.' Airportr's airline partners shouldn't be entirely let off the hook, CyberX9's CEO Pathak says. He argues they, too, are responsible for ensuring the security of their customers' travel plans and other sensitive personal information when they recommend another service to them—a responsibility at which they 'failed miserably," he says. He argues, too, that Airportr's security flaws should serve as a warning about how third-party services, contractors and little-known partner services are often a hidden source of data leakage. 'The real risk isn't always the airline itself but the small add‑on services we overlook which often get promoted to us, as passengers, by the airlines and airports—services we assume are safe because we trust the airline's endorsement,' says Pathak. 'Your data is only as secure as the least‑protected partner that touches it.'
Al Bawaba
5 days ago
- Business
- Al Bawaba
ManageEngine Enhances AD360 With Risk Exposure Management and Local User MFA Features to Strengthen Identity Threat Defenses
ManageEngine, a division of Zoho Corporation and a leading provider of enterprise IT management solutions, today announced the general availability of identity risk exposure management and local user MFA features in AD360, its converged identity and access management (IAM) platform. The release enables security teams to detect privilege escalation risks and secure unmanaged local accounts, two common identity attack vectors that attackers continue to exploit at remains the primary attack vector in modern enterprises, as shown by Verizon's 2025 Data Breach Investigations Report, which found that credential abuse was the initial access vector in 22 % of breaches. The report also highlighted widespread abuse of poorly managed local accounts and privilege paths across over 12,000 confirmed breaches."With this release, ManageEngine AD360 moves beyond traditional IAM by embedding identity threat defenses into core identity operations. By turning identity data into actionable security insights, we're helping customers make IAM the first line of defense, not a check box," said Manikandan Thangaraj, vice president of ManageEngine. While most IAM tools focus on provisioning and policy enforcement, AD360 adds risk exposure mapping via attack path analysis as well as local MFA enforcement, helping enterprises close attack paths that often go undetected. This marks a key step in identity management evolving from an access control layer into an active security Capabilities• Identity risk exposure management: Graph based analysis maps lateral movement and privilege escalation paths in Active Directory (AD), automatically prioritizing risky configurations and recommending remediation steps. The graph engine models AD objects as nodes and privilege inheritance as lines, revealing multi step attack chains in real time, with actionable suggestions that IT teams can implement to close exposed paths.• Local user MFA: This feature extends adaptive MFA to local accounts on non domain joined servers, DMZ assets, and test environments, thwarting credential stuffing and persistence techniques. • ML driven access recommendations: During provisioning and access review campaigns, machine learning analyzes permission patterns and suggests adjustments to implement least privilege access, helping prevent excess entitlements. Additionally, ManageEngine has enhanced AD360's access certification module, which now includes expanded entitlements for comprehensive review coverage, and the risk assessment capabilities feature new indicators for improved identity risk monitoring across AD and Microsoft 365 environments. These enhancements are designed to streamline compliance reporting and strengthen access governance across the enterprise. The new capabilities support NIST SP 800-207 on Zero Trust architecture, align with PCI DSS Version 4.0 Requirement 8, and facilitate SOX, HIPAA, and GDPR controls.
Telegraph
18-07-2025
- Politics
- Telegraph
‘I'd do it again', says Grant Shapps over secret Afghan scheme
Sir Grant Shapps has said he would 'do the same thing all over again' over the Afghan data leak super-injunction. The senior Tory politician, who was defence secretary when the injunction was first put in place, said the move to keep data breach a secret was 'entirely justified' to protect the lives of thousands of Afghans. He made his first public comments on the data debacle after it emerged that the leak had also included the details of more than 100 Britons, including spies and members of the special forces. Sir Grant said he would 'walk over hot coals to protect those guys' and the super-injunction was needed in order to keep people safe. It was revealed earlier this week when the super-injunction was lifted that a dataset containing the personal information of 25,000 Afghans who had applied for the Afghan Relocations and Assistance Policy (Arap) had been released 'in error' in February 2022 by a defence official. The Tory government became aware of the leak in August 2023 and Sir Ben Wallace, the then defence secretary, made the decision to apply for an injunction. Sir Grant took over as defence secretary on August 31 2023 and the High Court granted a super-injunction at the start of September. The government established a covert relocation scheme to bring the affected Afghan soldiers and their family members to the UK, amid fears they could be targeted by the Taliban, at a cost of £7billion. Around 4,500 people have been brought to the UK or are in transit so far under the secret route. 'Would walk over hot coals to protect those guys' Sir Grant defended the decision to use a super-injunction to keep the breach and the relocation scheme a secret. He told the BBC Radio 4 Today programme on Friday morning: 'I would just make this point, that there are things that the state just has to do secretly otherwise you would get to the point where people would say 'well why aren't you releasing the nuclear codes?' 'You simply can't release everything and this was one of those times where, faced with a decision of protecting lives, both Brits and Afghanis, I would do the same thing all over again. 'I would walk over hot coals to protect those guys.' The use of a super-injunction by the government to keep something so significant a secret has prompted major questions about transparency after Parliament was kept in the dark. Sir Grant said he was 'surprised' that the super-injunction was kept in place for so long. He also said he would support the initial defence assessment of the data leak which formed the basis of the super-injunction being handed over to the Intelligence and Security Committee of Parliament for scrutiny. Asked the question about sharing the document with the committee, Sir Grant said: 'I will say two things. First of all, yes I would. And secondly this injunction, the super-injunction, was in place for longer than I was defence secretary, so it has been in place a lot longer under the current government than it was under us. 'I am surprised it has lasted quite so long. My expectation was, as the risks start to lessen over time and people are removed from the theatre, from Afghanistan, and measures are taken to protect the Brits on the list, that it would carry on quite so long. 'I'd thought that it was probably going to come to an end last summer or the autumn perhaps at maximum. 'So I am surprised it has taken quite so long and it is absolutely right that those committees are able to look into it properly.' Sir Grant said he believed the public understood that 'there are times where you simply have to act in the most maximalist way in order to stop people from being murdered and executed and that is quite simply what properly happened in this case'.
Sky News
18-07-2025
- Politics
- Sky News
Sir Lindsay Hoyle should have made ministers tell MPs about Afghan data leak, says Harriet Harman
Commons Speaker Sir Lindsay Hoyle knew about Afghan data leak and should have made ministers tell MPs, Dame Harriet Harman has claimed. Speaking to Beth Rigby on the Electoral Dysfunction podcast, the Labour peer said the Speaker - whose job she ran for in 2019 - should have asked for a key select committee to be made aware. A spokesperson for the Speaker said he was "himself under a super-injunction" and so "would have been under severe legal restrictions". A massive data breach by the British military that was only made public this week exposed the personal information of close to 20,000 Afghan individuals, endangering them and their families. Successive governments tried to keep the leak secret with a super-injunction, meaning the UK only informed everyone affected on Tuesday - three-and-a-half years after their data was compromised. The breach occurred in February 2022, when Boris Johnson was prime minister, but was only discovered by the British military in August 2023. A super-injunction, which prevented the reporting of the mistake, was imposed in September of that year. The previous Conservative government set-up a secret scheme in 2023 - which can only now be revealed - to relocate Afghan nationals impacted by the data breach but who were not eligible for an existing programme to relocate and assist individuals who had worked for the British government in Afghanistan. Some 6,900 Afghans - comprising 1,500 people named on the list as well as their dependents - are being relocated to the UK as part of this programme. Dame Harriet said: "The Speaker was warned, 'If somebody's going to say something which breaches this injunction, will you please shut them up straight away if an MP does this', and he agreed to do that. "But what he should have done at the time is he should have said, but parliamentary accountability is important. I'm the Speaker. I'm going to stand up for parliamentary accountability. And you must tell the Intelligence and Security Committee and allow them to hold you to account. "What's happened now is now that this is out in the open, the Intelligence and Security Committee is going to look at everything. So, it will be able to see all the papers from the MoD [Ministry of Defence]." Pressed on whether she meant the Speaker had failed to do his job, Dame Harriet replied: "Yes, and it's a bit invidious for me to be saying that because, of course, at that time, Lindsay Hoyle was elected a speaker, I myself ran to be speaker, and the House chose him rather than me. "So it's a bit bad to make this proposal to somebody who actually won an election you didn't win. But actually, if you think about the Speaker's role to stand up for parliament, to make sure that government is properly scrutinised, when you've got a committee there, which is security cleared to the highest level, appointed by the prime minister, and whose job is exactly to do this." A spokesperson for the Speaker said: "As has been made clear, Mr Speaker was himself under a super-injunction, and so would have been under severe legal restrictions regarding speaking about this. "He would have had no awareness which organisations or individuals were and were not already aware of this matter. "The injunction could not constrain proceedings in parliament and between being served with the injunction in September 2023 and the 2024 general election, Mr Speaker granted four Urgent Questions on matters relating to Afghan refugees and resettlement schemes. "Furthermore, as set out in the Justice and Security Act 2013, the Speaker has no powers to refer matters to the Intelligence and Security Committee."
Sky News
18-07-2025
- Politics
- Sky News
Commons Speaker Sir Lindsay Hoyle knew about Afghan data leak, claims Harriet Harman
Commons Speaker Sir Lindsay Hoyle knew about Afghan data leak and should have made ministers tell MPs, Dame Harriet Harman has claimed. Speaking to Beth Rigby on the Electoral Dysfunction podcast, the Labour peer said the Speaker - whose job she ran for in 2019 - should have asked for a key select committee to be made aware. A spokesperson for the Speaker said he was "himself under a super injunction" and so "would have been under severe legal restrictions". A massive data breach by the British military that was only made public this week exposed the personal information of close to 20,000 Afghan individuals, endangering them and their families. Successive governments tried to keep the leak secret with a superinjunction, meaning the UK only informed everyone affected on Tuesday - three-and-a-half years after their data was compromised. The breach occurred in February 2022, when Boris Johnson was prime minister, but was only discovered by the British military in August 2023. A superinjunction which prevented the reporting of the mistake, was imposed in September of that year. The previous Conservative government set up a secret scheme in 2023 - which can only now be revealed - to relocate Afghan nationals impacted by the data breach but who were not eligible for an existing programme to relocate and assist individuals who had worked for the British government in Afghanistan. Some 6,900 Afghans - comprising 1,500 people named on the list as well as their dependents - are being relocated to the UK as part of this programme. Dame Harriet said: "The Speaker was warned, 'If somebody's going to say something which breaches this injunction, will you please shut them up straight away if an MP does this', and he agreed to do that. "But what he should have done at the time is he should have said but parliamentary accountability is important. I'm the Speaker. I'm going to stand up for parliamentary accountability. And you must tell the Intelligence and Security Committee and allow them to hold you to account. "What's happened now is now that this is out in the open, the Intelligence and Security Committee is going to look at everything. So, it will be able to see all the papers from the MoD [Ministry of Defence]." Pressed on whether she meant the Speaker had failed to do his job, Dame Harriet replied: "Yes, and it's a bit invidious for me to be saying that because, of course, at that time, Lindsay Hoyle was elected a speaker, I myself ran to be speaker, and the House chose him rather than me. "So it's a bit bad to make this proposal to somebody who actually won an election you didn't win. But actually, if you think about the Speaker's role to stand up for parliament, to make sure that government is properly scrutinised, when you've got a committee there, which is security cleared to the highest level, appointed by the prime minister, and whose job is exactly to do this." A spokesperson for the Speaker said: "As has been made clear, Mr Speaker was himself under a super injunction, and so would have been under severe legal restrictions regarding speaking about this. "He would have had no awareness which organisations or individuals were and were not already aware of this matter. "The injunction could not constrain proceedings in parliament and between being served with the injunction in September 2023 and the 2024 general election, Mr Speaker granted four Urgent Questions on matters relating to Afghan refugees and resettlement schemes. "Furthermore, as set out in the Justice and Security Act 2013, the Speaker has no powers to refer matters to the Intelligence and Security Committee."
